cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Static one to one NAT

Jump to solution

Hello all,

I am having troule configuring some one to one nats and wondering of some one could assist. not sure what I am oing wrong. I feel that I am close. I am currently working on a TA 912 (1st gen) runnning A1.02.00.E. I have a /29 block - 209.x.x.72/29 Would like to have three one to one nats. open on all ports

  1. 209.x.x.76 natted to 10.0.0.103
  2. 209.x.x.77 natted to 10.0.0.148
  3. 209.x.x.75 natted to 10.0.0.2 

Here are some portions of the current config

interface eth 0/1

  no snmp trap link-status

  ip address  10.0.0.1  255.255.255.0

  ip address  209.x.x.73  255.255.255.248 secondary

access-policy INSIDE100

  no shutdown

interface ppp 1

  ip address negotiated

  ip address  209.x.x.76  255.255.255.255 secondary

  ip address  209.x.x.77  255.255.255.255 secondary

  ip address  209.x.x.78  255.255.255.255 secondary

  access-policy OUTSIDE100

  media-gateway ip primary

  qos-policy out VOICE

  max-reserved-bandwidth 85

  no shutdown

  cross-connect 1 t1 0/1 1 ppp 1

ip access-list extended WAN100

  permit ip any  host 209.x.x.76

ip access-list extended WAN200

  permit ip any  host 209.x.x.75

ip access-list extended WAN300

  permit ip any  host 209.x.x.77

ip access-list extended LAN100

  permit ip host 10.0.0.103  any

ip access-list extended LAN200

  permit ip host 10.0.0.2  any

ip access-list extended LAN300

  permit ip host 10.0.0.148  any

ip access-list standard ALL

  permit any

ip access-list extended NAT

  permit ip 10.0.0.0 0.0.0.255  any

ip access-list extended publicLAN

  permit ip any  209.x.x.72 0.0.0.7

!

ip access-list extended publicLAN_out

  permit ip 209.x.x.72 0.0.0.7  any

ip policy-class INSIDE100

  nat source list LAN100 address 209.x.x.76 overload

  nat source list LAN200 address 209.x.x.75 overload

  nat source list LAN300 address 209.x.x.77 overload

  nat source list NAT interface ppp 1 overload

ip policy-class OUTSIDE100

  allow list MGDR_TELNET

  allow list ICMP

  nat destination list WAN100 address 10.0.0.103

  nat destination list WAN200 address 10.0.0.2

  nat destination list WAN300 address 10.0.0.148

  discard list ALL

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

Tonycaf,

Thanks for posting.  After looking over your configuration, I do see a couple things we may need to modify.  First, we need to add the 209.x.x.75 address to the PPP interface.

interface ppp 1

ip address 209.x.x.75 255.255.255.255 secondary

Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration.  The traffic that matches on these access lists will not fall through to the "nat destination" rules below.  Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.

Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command.  For example, lets say you planned to use the 209.x.x.76 as a web server.  You could access a computer on the Internet and type that IP address into your web browser.  As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit.  You should expect to see something similar to the following.

Policy class "OUTSIDE100":

tcp (600) -> INSIDE100

  1.1.1.1  38491    209.x.x.76   80    d 10.0.0.103   80   

You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103.  Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.

Thanks!

David

View solution in original post

0 Kudos
3 Replies
Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

Tonycaf,

Thanks for posting.  After looking over your configuration, I do see a couple things we may need to modify.  First, we need to add the 209.x.x.75 address to the PPP interface.

interface ppp 1

ip address 209.x.x.75 255.255.255.255 secondary

Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration.  The traffic that matches on these access lists will not fall through to the "nat destination" rules below.  Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.

Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command.  For example, lets say you planned to use the 209.x.x.76 as a web server.  You could access a computer on the Internet and type that IP address into your web browser.  As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit.  You should expect to see something similar to the following.

Policy class "OUTSIDE100":

tcp (600) -> INSIDE100

  1.1.1.1  38491    209.x.x.76   80    d 10.0.0.103   80   

You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103.  Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.

Thanks!

David

0 Kudos
Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

Thanks for the help on this. I did end up working with another co-worker and got this working properly

Anonymous
Not applicable

Re: Static one to one NAT

Jump to solution

Tonycaf,

I went ahead and flagged this post as “Assumed Answered”.  If the response on this thread assisted you, please mark it as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.

Thanks!

David